Ruleset Update Summary - 2025/05/12 - v10925

rulesbot · May 12, 2025, 8:45pm

Summary:

63 new OPEN, 81 new PRO (63 + 18)

Thanks @AikidoSecurity

Added rules:

Open:

2062229 - ET INFO DYNAMIC_DNS Query to a *.faizinternational .com .np domain (info.rules)
2062230 - ET INFO DYNAMIC_DNS HTTP Request to a *.faizinternational .com .np domain (info.rules)
2062231 - ET INFO DYNAMIC_DNS Query to a *.brianpuppy .com domain (info.rules)
2062232 - ET INFO DYNAMIC_DNS HTTP Request to a *.brianpuppy .com domain (info.rules)
2062233 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (animatcxju .live) (malware.rules)
2062234 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (animatcxju .live) in TLS SNI (malware.rules)
2062235 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blackljjwc .run) (malware.rules)
2062236 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blackljjwc .run) in TLS SNI (malware.rules)
2062237 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (blackswmxc .top) (malware.rules)
2062238 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (blackswmxc .top) in TLS SNI (malware.rules)
2062239 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (interpwthc .digital) (malware.rules)
2062240 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (interpwthc .digital) in TLS SNI (malware.rules)
2062241 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (overcovtcg .top) (malware.rules)
2062242 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (overcovtcg .top) in TLS SNI (malware.rules)
2062243 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (zmedtipp .live) (malware.rules)
2062244 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (zmedtipp .live) in TLS SNI (malware.rules)
2062245 - ET EXPLOIT_KIT DollyWay v3 PHP TDS Redirect M2 (exploit_kit.rules)
2062246 - ET MALWARE RedExt C2 Agent Register (malware.rules)
2062247 - ET MALWARE RedExt C2 Agent Exfiltration (malware.rules)
2062248 - ET MALWARE RedExt C2 Agent Beacon (malware.rules)
2062249 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clatteqrpq .digital) (malware.rules)
2062250 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (clatteqrpq .digital in TLS SNI) (malware.rules)
2062251 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enumermbzz .live) (malware.rules)
2062252 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (enumermbzz .live in TLS SNI) (malware.rules)
2062253 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (voznessxyy .life) (malware.rules)
2062254 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (voznessxyy .life in TLS SNI) (malware.rules)
2062255 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ninepicchf .bet) (malware.rules)
2062256 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ninepicchf .bet in TLS SNI) (malware.rules)
2062257 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (albizzcdlv .digital) (malware.rules)
2062258 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (albizzcdlv .digital in TLS SNI) (malware.rules)
2062259 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (aigjmr .digital) (malware.rules)
2062260 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (aigjmr .digital in TLS SNI) (malware.rules)
2062261 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lancery .digital) (malware.rules)
2062262 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lancery .digital in TLS SNI) (malware.rules)
2062263 - ET WEB_SPECIFIC_APPS D-Link DI-8100 ddos.asp multiple parameters Buffer Overflow Attempt (CVE-2025-4544) (web_specific_apps.rules)
2062264 - ET WEB_SPECIFIC_APPS H3C Magic NX15 /wizard Multiple Endpoints Command Injection Attempt (CVE-2025-2725) (web_specific_apps.rules)
2062265 - ET WEB_SPECIFIC_APPS GLiNet GL-AX1800 s2s API Command Injection Attempt (CVE-2024-39226) (web_specific_apps.rules)
2062266 - ET WEB_SPECIFIC_APPS JCM JIR-AC681 systools.asp Command Injection Attempt (web_specific_apps.rules)
2062267 - ET INFO DYNAMIC_DNS Query to a *.skamaria .net domain (info.rules)
2062268 - ET INFO DYNAMIC_DNS HTTP Request to a *.skamaria .net domain (info.rules)
2062269 - ET INFO DYNAMIC_DNS Query to a *.richsfamilyonline .net domain (info.rules)
2062270 - ET INFO DYNAMIC_DNS HTTP Request to a *.richsfamilyonline .net domain (info.rules)
2062271 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (araucahkbm .live) (malware.rules)
2062272 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (araucahkbm .live) in TLS SNI (malware.rules)
2062273 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (easterxeen .run) (malware.rules)
2062274 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (easterxeen .run) in TLS SNI (malware.rules)
2062275 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (featurlyin .top) (malware.rules)
2062276 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (featurlyin .top) in TLS SNI (malware.rules)
2062277 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flowerexju .bet) (malware.rules)
2062278 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (flowerexju .bet) in TLS SNI (malware.rules)
2062279 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (posseswsnc .top) (malware.rules)
2062280 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (posseswsnc .top) in TLS SNI (malware.rules)
2062281 - ET WEB_SPECIFIC_APPS Tenda AC10 setPptpUserList list Parameter Buffer Overflow Attempt (CVE-2025-45779) (web_specific_apps.rules)
2062282 - ET EXPLOIT D-Link HNAP - Request Remote Buffer Overflow M1 (CVE-2014-3936) (exploit.rules)
2062283 - ET MALWARE RATatouille rand-user-agent Supply Chain Compromise CnC Activity (POST) (malware.rules)
2062284 - ET EXPLOIT D-Link HNAP - Request Remote Buffer Overflow M2 (CVE-2014-3936) (exploit.rules)
2062285 - ET EXPLOIT D-Link HNAP - Request Remote Buffer Overflow M3 (CVE-2014-3936) (exploit.rules)
2062286 - ET MALWARE RATatouille rand-user-agent Supply Chain Compromise CnC Activity (WebSocket) (malware.rules)
2062287 - ET MALWARE RATatouille rand-user-agent Supply Chain Compromise CnC Command Inbound (ss_dir) (malware.rules)
2062288 - ET MALWARE RATatouille rand-user-agent Supply Chain Compromise CnC Command Inbound (ss_fcd:) (malware.rules)
2062289 - ET MALWARE RATatouille rand-user-agent Supply Chain Compromise CnC Command Inbound (ss_upf:) (malware.rules)
2062290 - ET MALWARE RATatouille rand-user-agent Supply Chain Compromise CnC Command Inbound (ss_upd:) (malware.rules)
2062291 - ET MALWARE RATatouille rand-user-agent Supply Chain Compromise CnC Command Inbound (ss_stop:) (malware.rules)

Pro:

2861628 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861629 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861630 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861631 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861632 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861633 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861634 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861635 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861636 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2861637 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2861638 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2861639 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2861640 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2861641 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2861642 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2861643 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2861644 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
2861645 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/03/31 - v10894 Ruleset Updates	101	March 31, 2025
Ruleset Update Summary - 2025/04/14 - v10904 Ruleset Updates	133	April 14, 2025
Ruleset Update Summary - 2025/02/18 - v10861 Ruleset Updates	186	February 18, 2025
Ruleset Update Summary - 2025/01/13 - v10836 Ruleset Updates	102	January 13, 2025
Ruleset Update Summary - 2025/03/10 - v10875 Ruleset Updates	134	March 10, 2025

Ruleset Update Summary - 2025/05/12 - v10925

Summary:

Added rules:

Open:

Pro:

Related topics